U lHJe# @spddlZddlZddlZddlZddlmZddlmZddlmZm Z m Z m Z m Z m Z mZddlmZmZmZmZmZmZddlmZddlmZmZddlmZmZdd lmZm Z m!Z!dd l"m#Z#dd l$m%Z%dd l&m'Z'dd l(m)Z)m*Z*ddl+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2dZ3dZ4dZ5dZ6dZ7e dde8fde8fgZ9e dde:fde e9fde e8fde:fgZ;e dd e8fd!e8fd"e8fgZZ?e d(d$e?fde e e9fgZ@Gd)d*d*e0jAZBGd+d,d,ZCGd-d.d.ZDGd/d0d0ZEe e8e e8e8ffd1d2d3ZFe eEe e8e:fe e8e e8e e8e8fffd4d5d6ZGd7d8ZHe8ee e?e e8fd9d:d;ZIeDe eEe8e e8e e8e8ffe#e e8e:fe:e?d<d=d>ZJeEe eEe8e e8e e8e8ffe#e e8e:fe:e:e?d? d@dAZKde#e8e:e:e?dCdDdEZLdFdGZMdHdIZNeEe e8e e8e8ffe e8eCfdJdKdLZOeDe e8e e8e8ffe e8eCfdMdNdOZPe8e e8eCfdPdQdRZQeCe e8e e8e8ffeCdSdTdUZRdVdWZSe ee8eCfeTeTe8dXdYdZZUe8e#d[d\d]ZVe8e#e:d^d_d`ZWde?e8e8dbdcddZXe#e e8e ee8eCffe e8e e<feTeTe:e;dedfdgZYe e9e8dhdidjZZe#e8e e8eCfe e8e e8e8ffe e8e e8e e8e8fffe:e@dkdldmZ[dd1dndoZ\e#e8e:dpdqdrZ]e#dsdtduZ^e#e:dvdwdxZ_e#e8e:dydzd{Z`e#e:e:d|d}d~Zae8e#e:e:dddZbe#e:dvddZce e8efe#e:e:dddZde#e e8e8e:e=dddZedS)N) defaultdict)datetime)AnyDictList NamedTupleOptionalSetTuple)apt exceptions livepatchmessagessystemutil) _initiate)MagicAttachRevokeOptions_revoke)MagicAttachWaitOptions_wait)CLOUD_TYPE_TO_TITLEPRO_CLOUD_URLSget_cloud_type)UAConfig)PRINT_WRAP_WIDTH)entitlement_factory)ApplicabilityStatusUserFacingStatus)notices)Notice) serviceclient)colorize_commandsz=((CVE|cve)-\d{4}-\d{4,7}$|(USN|usn|LSN|lsn)-\d{1,5}-\d{1,2}$)z cves.jsonzcves/{cve}.jsonz notices.jsonznotices/{notice}.jsonUnfixedPackagepkgunfixed_reasonReleasedPackagesInstallResult fix_status unfixed_pkgsinstalled_pkgsall_already_installedBinaryPackageFix source_pkg binary_pkg fixed_version UpgradeResultstatusfailure_reasonc@sZeZdZdZGdddZeddZeddZeddZed d Ze d d Z d dZ dS) FixStatuszD An enum to represent the system status after fix operation c@seZdZeedddZdS)zFixStatus._ValuevaluemsgcCs||_||_dSNr2)selfr3r4r73/usr/lib/python3/dist-packages/uaclient/security.py__init__[szFixStatus._Value.__init__N)__name__ __module__ __qualname__intstrr9r7r7r7r8_ValueZsr?rZfixed not-affectedzstill-affectedzaffected-until-rebootcCs|jjSr5)r3r6r7r7r8 exit_codedszFixStatus.exit_codecCs|jjSr5r2rCr7r7r8__str__hszFixStatus.__str__N) r:r;r<__doc__r?SYSTEM_NON_VULNERABLESYSTEM_NOT_AFFECTEDSYSTEM_STILL_VULNERABLESYSTEM_VULNERABLE_UNTIL_REBOOTpropertyrDrEr7r7r7r8r1Us     r1 FixResultc seZdZdZdZeeefeeefdddZe j e j dddgd dfd d Z deeeeeeeeeeeeeeeeeed d ddZed dddZdeeeeeeeeeeeddddZeddddZZS)UASecurityClientZ security_url) query_paramsreturncCs.|jjdidi}|r*|||S|S)zD Update query params with data from feature config. Zfeaturesextra_security_params)cfggetupdate)r6rOrQr7r7r8_get_query_paramszs z"UASecurityClient._get_query_paramsrA)Z retry_sleepsNcs"||}tj|||||ddS)NF)pathdataheadersmethodrOZlog_response_body)rUsuper request_url)r6rXrYrZr[rO __class__r7r8r]s zUASecurityClient.request_urlCVE) queryprioritypackagelimitoffset componentversionr/rPc sV||||||||d} jt| d} | jdkrBtjt| j| jdfdd| jDS)znQuery to match multiple-CVEs. @return: List of CVE instances based on the the JSON response. )qrbrcrdrerfrgr/rOurlcodebodycsg|]}t|dqS)clientresponse)r`).0Zcve_mdrCr7r8 sz-UASecurityClient.get_cves..)r] API_V1_CVESrmr SecurityAPIErrorrnZ json_list) r6rarbrcrdrerfrgr/rOrqr7rCr8get_cvess&   zUASecurityClient.get_cves)cve_idrPcCsBtj|d}||}|jdkr4tj||j|jdt||jdS)zkQuery to match single-CVE. @return: CVE instance for JSON response from the Security API. cverjrkro) API_V1_CVE_TMPLformatr]rmr rurnr` json_dict)r6rwrlrqr7r7r8get_cves   zUASecurityClient.get_cveUSN)detailsreleaserdreorderrPcsf||||d}jt|d}|jdkr.rcSs|jSr5idxr7r7r8z.UASecurityClient.get_notices..key) r]API_V1_NOTICESrmr rurnsortedr|rS)r6rrrdrerrOrqr7rr8 get_noticess&    zUASecurityClient.get_notices) notice_idrPcCsBtj|d}||}|jdkr4tj||j|jdt||jdS)zbQuery to match single-USN. @return: USN instance representing the JSON response. )noticerjrkro) API_V1_NOTICE_TMPLr{r]rmr rurnr~r|)r6rrlrqr7r7r8 get_notices   zUASecurityClient.get_notice)NNNN)NNNNNNNN)NNNNN)r:r;r<Z url_timeoutZcfg_url_base_attrrr>rrUrZretrysocketZtimeoutr]rr=rrvr}rr __classcell__r7r7r^r8rMusZ    " !rMc@seZdZdZeeefdddZeddZ eddZ ed d Z ed d Z ed dZ eddZeedddZeddZdS)CVEPackageStatuszAClass representing specific CVE PackageStatus on an Ubuntu series cve_responsecCs ||_dSr5rq)r6rr7r7r8r9szCVEPackageStatus.__init__cCs |jdSN descriptionrrCr7r7r8rszCVEPackageStatus.descriptioncCs|jSr5)rrCr7r7r8r-szCVEPackageStatus.fixed_versioncCs |jdS)NpocketrrCr7r7r8rszCVEPackageStatus.pocketcCs |jdS)Nrelease_codenamerrCr7r7r8r sz!CVEPackageStatus.release_codenamecCs |jdS)Nr/rrCr7r7r8r/ szCVEPackageStatus.statuscCs|jdkrtjS|jdkr tjS|jdkr0tjS|jdkr@tjS|jdkrPtjS|jdkr`tjS|jdkrztjj |j dStj j |jd S) NZneededz needs-triagepending)ignoreddeferredZDNEr@released)Z fix_stream)r/) r/rZSECURITY_CVE_STATUS_NEEDEDZSECURITY_CVE_STATUS_TRIAGEZSECURITY_CVE_STATUS_PENDINGZSECURITY_CVE_STATUS_IGNOREDZSECURITY_CVE_STATUS_DNEZ SECURITY_CVE_STATUS_NOT_AFFECTEDZSECURITY_FIX_RELEASE_STREAMr{ pocket_sourceZSECURITY_CVE_STATUS_UNKNOWNrCr7r7r8status_messages"       zCVEPackageStatus.status_messagerPcCst|jtjkS)z?Return True if the package requires an active Pro subscription.)boolrr'SECURITY_UBUNTU_STANDARD_UPDATES_POCKETrCr7r7r8 requires_ua%s zCVEPackageStatus.requires_uacCsR|jdkrtj}n<|jdkr$tj}n*|jdkr6tj}nd|jkrHtj}ntj}|S)z>Human-readable string representing where the fix is published. esm-infraesm-apps)ZupdatesZsecurityZesm)rrSECURITY_UA_INFRA_POCKETSECURITY_UA_APPS_POCKETrr-)r6Z fix_sourcer7r7r8r-s    zCVEPackageStatus.pocket_sourceN)r:r;r<rFrr>rr9rKrr-rrr/rrrrr7r7r7r8rs$      rc@seZdZdZeeeefdddZe dddZ e dd Z d d Z e eedd d Ze eddddZe ddZe eeefdddZdS)r`z7Class representing CVE response from the SecurityClientrocCs||_||_dSr5rqrpr6rprqr7r7r8r9Bsz CVE.__init__rcCst|tsdS|j|jkSNF) isinstancer`rqr6otherr7r7r8__eq__Fs z CVE.__eq__cCs|jddS)NrZUNKNOWN_CVE_IDrqrSupperrCr7r7r8rKszCVE.idcCsN|j}|jD]}|j}qq dj|j|ddtjjj|jdg}d|S)z2Return a string representing the URL for this cve.{issue}: {title}issuetitle - {}rx ) rrrr{rrurlsSECURITY_CVE_PAGEjoin)r6rrlinesr7r7r8get_url_headerOs zCVE.get_url_headercCs|jdgS)N notices_idsrqrSrCr7r7r8r^szCVE.notices_idsr~cs<tds6tfddjdgDdddd_jS) zReturn a list of USN instances from API response 'notices'. Cache the value to avoid extra work on multiple calls. _noticescsg|]}tj|qSr7)r~rp)rrrrCr7r8rsjszCVE.notices..rcSs|jSr5rnr7r7r8rnrzCVE.notices..Trreverse)hasattrrrqrSrrCr7rCr8rbs   z CVE.noticescCs |jdSrrrCr7r7r8rsszCVE.descriptioncCsbt|dr|jSi|_tj}|jdD]0}|dD]"}|d|kr6t||j|d<q6q*|jS)zDict of package status dicts for the current Ubuntu series. Top-level keys are source packages names and each value is a CVEPackageStatus object _packages_statusZpackagesZstatusesrname)rrrget_release_infoseriesrqr)r6rrc pkg_statusr7r7r8packages_statusws    zCVE.packages_statusN)r:r;r<rFrMrr>rr9rrrKrrrrrrrrr7r7r7r8r`?s  r`c@seZdZdZeeeefdddZe dddZ e eddd Z e e edd d Ze e edd d Ze ddZe ddZddZe eeeeeeefffdddZdS)r~z7Class representing USN response from the SecurityClientrocCs||_||_dSr5rrr7r7r8r9sz USN.__init__rcCst|tsdS|j|jkSr)rr~rqrr7r7r8rs z USN.__eq__cCs|jddS)NrZUNKNOWN_USN_IDrrCr7r7r8rszUSN.idcCs|jdgS)z$List of CVE IDs related to this USN.rrrCr7r7r8rsz USN.cves_idscs<tds6tfddjdgDdddd_jS) zList of CVE instances based on API response 'cves' key. Cache the values to avoid extra work for multiple call-sites. _cvescsg|]}tj|qSr7)r`rp)rrryrCr7r8rsszUSN.cves..cvescSs|jSr5rrr7r7r8rrzUSN.cves..Tr)rrrqrSrrCr7rCr8rs   zUSN.cvescCs |jdS)NrrrCr7r7r8rsz USN.titlecCs |jdS)N referencesrrCr7r7r8rszUSN.referencescCsdj|j|jdg}|jrN|d|jD] }|dtjjj|dq*n*|jrx|d|jD]}|d|qdd |S) z5Return a string representing the URL for this notice.rrz Found CVEs:rrxzFound Launchpad bugs:z - r) r{rrrappendrrrrr)r6rryZ referencer7r7r8rs    zUSN.get_url_headercCsVt|dr|jStj}i|_|jdi|gD]}|dr|d|jkrd|j|dkrtjdj |j |dd|j dd ||j|dd<nd|i|j|d<q6|d stjd j |j |dd |j dd n6d |d krtjdj |j |d|d d|j dd |d  d d}||jkrrr9rrrKrrrr`rrrrrr7r7r7r8r~s   r~rc Cs|d}tdd|ddg\}}i}|D]J}|d\}}}}|sJ|}d|krTq,||krj||||<q,||i||<q,|S)zReturn a dict of all source packages installed on the system. The dict keys will be source package name: "krb5". The value will be a dict with keys binary_pkg and version. z${db:Status-Status}z dpkg-queryz#-f=${Package},${Source},${Version},rz-W,Z installed)rZsubp splitlinesr) Z status_fieldoutZ_errinstalled_packagesZpkg_linepkg_namerZ pkg_versionr/r7r7r8#query_installed_source_pkg_versionss$  r)usns beta_pocketsrPc si}|D]}|jD]\}}fdd|D}||krJ|rJ|||<q||kr||}|D]F\}} ||kr|| ||<qb||d} | d} t| | dkrb| ||<qbqq|S)aWalk related USNs, merging the released binary package versions. For each USN, iterate over release_packages to collect released binary package names and required fix version. If multiple related USNs require different version fixes to the same binary package, track the maximum version required across all USNs. :param usns: List of USN response instances from which to calculate merge. :param beta_pockets: Dict keyed on service name: esm-infra, esm-apps the values of which will be true of USN response instances from which to calculate merge. :return: Dict keyed by source package name. Under each source package will be a dict with binary package name as keys and binary package metadata as the value. c s.i|]&\}}d|dddkr||qS)FrNonerS)rrZ bin_pkg_nameZ bin_pkg_mdrr7r8 Fs z>merge_usn_released_binary_package_versions..rgr)ritemsr version_compare) rrZusn_pkg_versionsrsrc_pkgZbinary_pkg_versionsZpublic_bin_pkg_versionsZ usn_src_pkgrZ binary_pkg_mdZ prev_versionZcurrent_versionr7rr8*merge_usn_released_binary_package_versions/s*      rcCsn|js gSi}|jD]@}|jD]4}|ds.q||jkr:q||kr|j|d||<qqtt|dddS)zFor a give usn, get the related USNs for it. For each CVE associated with the given USN, we capture other USNs that are related to the CVE. We consider those USNs related to the original USN. zUSN-rcSs|jSr5rrr7r7r8r|rz"get_related_usns..r)rr startswithrrlistrvalues)rrp related_usnsryZrelated_usn_idr7r7r8get_related_usnsas     r)issue_idrPcCsft}|dk rb|jdk rb|jjdk rb|jjD]2}|j|kr.|jr.|jjpPd}tj|fSq.dS)NzN/A)NN) r r/fixesrlowerZpatchedrgr1rG)rZ lp_statusZfixrgr7r7r8_check_cve_fixed_by_livepatchs   r)ryrrrrRrdry_runrPc Cs2t||d}t||}tt||||||djS)N)ryrrRraffected_pkg_statusrusn_released_pkgsr)'get_cve_affected_source_packages_statusrprintprompt_for_affected_packagesr/) ryrrrrRrrrrr7r7r8_fix_cves" r) rrrrrRrr no_relatedrPc Cstdtjj|dt||d}t|g|} t||||| |d\} } | tjtj fkrZ| S|rb|rf| Stdtj jd dd|Ddtdtj i} |D]R} td | j t| |d}t| g|} t|| j ||| |d}|| | j <tqttjt| |tjd d }|D]} | | j j}t|| j tjd |tjkr`td tjjd dd}|tjkr| | j jp|g}|D]"}|jrtd|j|jqd}q|rtdtjj|d| S)Nrrrrrz - css|] }|jVqdSr5r)rrrr7r7r8 sz_fix_usn..)rz- {})contextF- fix operationZ operationTz - {}: {})rrZSECURITY_FIXING_REQUESTED_USNr{get_affected_packages_from_usnrrr1rGrHZSECURITY_RELATED_USNSrZSECURITY_FIXING_RELATED_USNSrZSECURITY_USN_SUMMARY_handle_fix_status_messageZFIX_ISSUE_CONTEXT_REQUESTEDr/ZFIX_ISSUE_CONTEXT_RELATEDrJENABLE_REBOOT_REQUIRED_TMPLrIr'r$r#ZSECURITY_RELATED_USN_ERROR)rrrrrRrrrrrZtarget_fix_status_Zrelated_usn_statusZ related_usnZrelated_fix_statusZfailure_on_related_usnr/r'Z unfixed_pkgr7r7r8_fix_usns        r F)rRrrrrPc Cs|rttj|}t|d}t}ttj|ttj|d}d|krt |\}}|rpttj j ||d|Sz|j |d} |j |d} Wn>tjk r} z| jdkrtj|d| W5d} ~ XYnXt| t| | |||||d Sz|j|d } t| |} WnBtjk rJ} z | jdkr6tj|d| W5d} ~ XYnXt| | jd sztjd ||d dt| | ||||||dSdS)NrR)rrr`)rrg)rw)rir)ryrrrrRrrrrz.{} metadata defines no fixed package versions.rr)rrrrrRrrr)rrZSECURITY_DRY_RUN_WARNINGrrMr_is_pocket_used_by_beta_servicerrrZCVE_FIXED_BY_LIVEPATCHr{r}rr rurmZSecurityIssueNotFoundrrrrrqrr ) rRrrrrprrZlivepatch_cve_statusZ patch_versionryrerr7r7r8fix_security_issue_ids             rcCs`i}|D]R}t||D]>\}}||kr4|||<q||j}t||jdkr|||<qq|S)Nr)rrr-r r)rr affected_pkgsryrrZ current_verr7r7r8get_affected_packages_from_cvesvs    rcCsi}|jD]l\}}||kr qtt}d|d<dd|D}|s`tjd|j|jdd||d<t |d ||<q|S) Nrr/cSs"h|]\}}|dr|dqS)rr)rrr Z pkg_bin_infor7r7r8 s z1get_affected_packages_from_usn..zC{} metadata defines no pocket information for any release packages.rrrr) rrrr>r rr{rpopr)rrrrZpkg_inforZ all_pocketsr7r7r8r s* r )rrrPcCs |jrt|j|St||SdS)zWalk CVEs related to a USN and return a dict of all affected packages. :return: Dict keyed on source package name, with active CVEPackageStatus for the current Ubuntu release. N)rrr rr7r7r8 get_usn_affected_packages_statuss r)ryrrPcCs8i}|jD]$\}}|jdkr"q||kr|||<q|S)zGet a dict of any CVEPackageStatuses affecting this Ubuntu release. :return: Dict of active CVEPackageStatus keyed by source package names. r@)rrr/)ryrZaffected_pkg_versionsr+Zpackage_statusr7r7r8rs  r)rrcCstt|}|dkr6ttjtdtjj|dddStj|j|dt | d}tt j |t dd d dS) a Print header strings describing affected packages related to a CVE/USN. :param issue_id: String of USN or CVE issue id. :param affected_pkg_status: Dict keyed on source package name, with active CVEPackageStatus for the current Ubuntu release. rrr)rrN, )countpkgs F)widthsubsequent_indentZreplace_whitespace)lenrrZSECURITY_NO_AFFECTED_PKGSSECURITY_ISSUE_UNAFFECTEDr{ZSECURITY_AFFECTED_PKGS pluralizerrkeystextwrapfillr)rrrr4r7r7r8print_affected_packages_headers0   r#)rusn_src_released_pkgsrPcCsft|}|rb|drbd|jd<|dd|jd<|D]$\}}|d}|r<||jd<qbq<|S)aParse release status based on both pkg_status and USN.release_packages. Since some source packages in universe are not represented in CVEPackageStatus, rely on presence of such source packages in usn_src_released_pkgs to represent package as a "released" status. :param pkg_status: the CVEPackageStatus for this source package. :param usn_src_released_pkgs: The USN.release_packages representing only this source package. Normally, release_packages would have data on multiple source packages. :return: Tuple of: human-readable status message, boolean whether released, boolean whether the fix requires access to UA rrr/rgrr)copydeepcopyrSrqr)rr$usn_pkg_statusrZusn_released_pkgrr7r7r8#override_usn_release_package_statuss     r(cCsdi}t|D]N\}}||i}t||}|jdd}||krLg||<||||fq|S)Nrr)rrrSr(r/replacer)rrZ status_groupsrrusn_released_srcr'Z status_groupr7r7r8group_by_usn_package_status s r+)pkg_status_list pkg_indexnum_pkgsrPcCs|sdSg}g}|D],\}}|d7}|d||||qtjddd|ddt|tdd }d ||jS) z;Format the packages and status to an user friendly message.rrAz{}/{}z{} {}:(r)rrrz{} {})rr{r!r"rrrr)r,r-r.Z msg_indexZsrc_pkgsrrZ msg_headerr7r7r8_format_packages_messages"   r2)rrRcCs>d}|tjkrd}n|tjkr"d}t||d}|r:||SdS)Nzno-service-neededrr)rRr)rrrr)rrRZservice_to_checkZent_clsr7r7r8_get_service_for_pocket3s   r3)rrRrPcCs4t||}|r0|\}}|tjkr(dS|j SdS)zBCheck if the pocket where the fix is at belongs to a beta service.F)r3user_facing_statusrACTIVEZ valid_service)rrRent ent_statusr r7r7r8r>s   rr)r/rrcCs|tjkr>|r tjj||d}ntjj|d}tt|n|tj kr||r^tj j||d}ntj j|d}tt|np|tj kr|rtj j||d}ntjj|d}tt|n2|rtj j||d}ntjj|d}tt|dS)N)rr)r)r1rGrZ%SECURITY_ISSUE_RESOLVED_ISSUE_CONTEXTr{ZSECURITY_ISSUE_RESOLVEDrrZhandle_unicode_charactersrHZ'SECURITY_ISSUE_UNAFFECTED_ISSUE_CONTEXTrrJZ)SECURITY_ISSUE_NOT_RESOLVED_ISSUE_CONTEXTZSECURITY_ISSUE_NOT_RESOLVED)r/rrr4r7r7r8r Ns>   r )rRsrc_pocket_pkgsbinary_pocket_pkgsr-r.rrPcs~d}d}g}t} |rntjtjtjfD]B} || } || } tjj| d|r8t| ||d} | rt| | s~ttj q(nd}g}t | D]v}| tjk}t j |j |d}|rt |j|dkr||j qtjj|j |jd}td||t|j|d q|t| 7}t||| |d }||jM}|jp6d |sX|fd d | Dq(| dd| Dq(t||| |dS)a%Handle the packages that could be fixed and have a released status. :returns: Tuple of boolean whether all packages were successfully upgraded, list of strings containing the packages that were not upgraded, boolean whether all packages were already installed Tservicer,r-r.F)check_esm_cacher)rcrgrr#r$)rR upgrade_pkgsrrrcsg|]\}}t|dqSr>r"rrrr Z failure_msgr7r8rss z2_handle_released_package_fixes..css|] }|jVqdSr5)r,)rrr,r7r7r8rsz1_handle_released_package_fixes..)r&r'r(r))setrrrrSECURITY_UA_SERVICE_REQUIREDr{r2rZSECURITY_UPDATE_INSTALLEDrr Zget_pkg_candidate_versionr,rr-rZFIX_CANNOT_INSTALL_PACKAGEr"r+rupgrade_packages_and_attachr/r0extendrTr%)rRr8r9r-r.rr)Zupgrade_statusr'r(rZ pkg_src_groupZ binary_pkgsr4r?r,r=Zcandidate_versionr$Zupgrade_resultr7rCr8_handle_released_package_fixesss          rH)r'rPcCsBtdd|D}t|}tjtj|j|d|dt ddS)zFormat the list of unfixed packages into an message. :returns: A string containing the message output for the unfixed packages. cSsh|] }|jqSr7)r#)rrr#r7r7r8rsz/_format_unfixed_packages_msg..r)r.rrr1) rrr!r"rZSECURITY_PKG_STILL_AFFECTEDrr{rr)r'Z sorted_pkgsZnum_pkgs_unfixedr7r7r8_format_unfixed_packages_msgsrI)rRrrrrrrPc st|}t|||dkr(ttjddStt}tt}d} t||} g} t| D]\} } | dkrtj }t t | | |d| t| 7} | ddj | fdd| D7} qV| D]\}}||j||f|| D]\\}}||i}||krq||id d }t||dkr||jt|||d qqqVt|||| ||d }| |j7} t | rtt t| |jr|jr| rtjntj }n\tj|jd rtjjdd}t |t j!t"j#dd| rtjntj$}n| rtjntj }ntj}t%||t|| dS)aProcess security CVE dict returning a CVEStatus object. Since CVEs point to a USN if active, get_notice may be called to fill in CVE title details. :returns: An FixStatus enum value corresponding to the system state after processing the affected packages rN)r/r'rr<rAcsg|]\}}t|dqSr@rArBZ status_msgr7r8rs%sz0prompt_for_affected_packages..rgr)r+r,r-)rRr8r9r-r.r)r(rr)&rr#rLr1rHrrr+rrrGrr2rrrrSr rr*rHr'rIr&r)rIrZ should_rebootr(rr r{raddrZENABLE_REBOOT_REQUIREDrJr )rRrrrrrrr8r9r-Zpkg_status_groupsr'Z status_valueZpkg_status_groupZ fix_resultrrr,rgr*r-Zreleased_pkgs_install_resultZ reboot_msgr7rJr8rs                 rcCs6t\}}|tkr2ttjjt|t|ddS)z:Alert the user when running Pro on cloud with PRO support.)rZcloud_specific_urlN)rrrrZSECURITY_USE_PRO_TMPLr{rrS)Z cloud_typer r7r7r8*_inform_ubuntu_pro_existence_if_applicables rL)rRtokenrPc Csddl}ddlm}ttdd|ggz$||j|dddd|}|dkWStjk r}zt|j WYd Sd}~XYnXdS) ztAttach to an Ubuntu Pro subscription with a given token. :return: True if attach performed without errors. rNcliproZattachTrO)rMZ auto_enabler{Z attach_configF) argparseuaclientrOrr!Z action_attach Namespacer ZUbuntuProErrorr4)rRrMrQrOZret_codeerrr7r7r8_run_ua_attachs"   rUrc Csttjt|d}tdtjj|jdt|jd}zt ||d}WnJt j k r}z*ttj t |jd}t||d|W5d}~XYnXtdtjt||jS)Nrr) user_code)Z magic_token)ZoptionsrR)rrZCLI_MAGIC_ATTACH_INITrZCLI_MAGIC_ATTACH_SIGN_INr{rVrrMrr ZMagicAttachTokenErrorZCLI_MAGIC_ATTACH_FAILEDrrZCLI_MAGIC_ATTACH_PROCESSINGrUZcontract_token)rRZ initiate_respZ wait_optionsZ wait_resprZrevoke_optionsr7r7r8_perform_magic_attachs*     rW)rRrPcCsjtttjtjtjdddgd}|dkr2dS|dkrBt|S|dkrfttjt d}t ||SdS)zZPrompt for attach to a subscription or token. :return: True if attach performed. sacZ valid_choicesF> T) rLrrZ*SECURITY_UPDATE_NOT_INSTALLED_SUBSCRIPTIONrprompt_choicesZSECURITY_FIX_ATTACH_PROMPTrWZPROMPT_ENTER_TOKENinputrU)rRchoicerMr7r7r8_prompt_for_attachs   r`)rRr;rPc Csddl}ddlm}ttjj|dtjtj j|dddgd}|dkrtt dd |ggt d| |j |gd d d d d |kSd S)zMPrompt for enable a pro service. :return: True if enable performed. rNrNr:rrZr[rPenableTFrO)r; assume_yesZbetar{Z access_only)rQrRrOrrZSECURITY_SERVICE_DISABLEDr{rr]ZSECURITY_FIX_ENABLE_PROMPTr!rZ action_enablerS)rRr;rQrOr_r7r7r8_prompt_for_enables0  rc)rRrrPcCs|rtdtjdSt|S)zstripZSECURITY_UA_APT_FAILURE)rRr?rrr4rjrr7r7r8rF^sz             rF)FF)r)fr%enumrr! collectionsrrtypingrrrrrr r rRr r r rrrZ+uaclient.api.u.pro.attach.magic.initiate.v1rZ)uaclient.api.u.pro.attach.magic.revoke.v1rrZ'uaclient.api.u.pro.attach.magic.wait.v1rrZuaclient.clouds.identityrrrZuaclient.configrZuaclient.defaultsrZuaclient.entitlementsrZ(uaclient.entitlements.entitlement_statusrrZuaclient.filesrZuaclient.files.noticesrZ uaclient.httpr Zuaclient.statusr!ZCVE_OR_USN_REGEXrtrzrrr>r"rr%r*r.Enumr1rLZUAServiceClientrMrr`r~rrrrrr rrr rrr#r(r+r=r2r3rr rHrIrrLrUrWr`rcrdrfrirlrFr7r7r7r8s\  $                 HL  2     t Y    " #   & s   "  +